If you use encryption (and I certainly hope you do!), you should be aware that a team of academics has revealed a new cryptographic attack this week that can break encrypted TLS traffic, allowing attackers to intercept and steal data previously considered safe and secure. This includes the encryption used by many, but not all, VPNs.
This new downgrade attack works even against the latest version of the TLS protocol, TLS 1.3, released last spring and considered to be secure.
You can find an article by Catalin Cimpanu describing the newly-discovered weakness in the ZDnet web site at: https://zd.net/2N2RPRS.
Comments: While this new obviously does pose a security risk for thousands of individuals and organizations that use encryption, I don’t think there is any need for immediate panic. First of all, there is no indication that the low-life hackers and government spies are already using the weakness. I am sure these miscreants will start exploiting the weakness as soon as they can read about the inner workings of the hack required, but that will take a few weeks. In the meantime, all the companies that create encryption software using TLS 1.3 should be updating their software.
This security weakness should not be a problem for anyone who monitors the situation closely and updates their encryption software, including VPNs, as soon as new updates are released.
However, there may be an even better and faster solution: I notice that the weakness is described as affecting only the latest version of the TLS protocol, TLS 1.3. That certainly is not the only encryption protocol in use. Simply switching to a different encryption protocol avoids the problem entirely. The problem is in identifying the protocol used in each encryption product you are using presently.
First, I’d suggest examining the web site of each vendor who produced each piece of encryption software you are using. Most vendors will advertise which protocol(s) are being used. If a vendor doesn’t describe its encryption methods, that’s a good clue that the vendor probably is using some publicly-available encryption software (of which there are several) and is simply embedding that software into their own products. In short, some companies may not know what encryption method is being used inside their own products. If so, that’s a rather strong incentive to stop using that encryption product and switch to something that is better documented.
Second, and perhaps the best way, is to simply switch to a different product, something that doesn’t use the TLS protocol. For VPNs, there are several to choose from.
Perhaps the best method of avoiding TLS protocol shortcomings in VPNs is to switch to the WireGuard VPN protocol. It doesn’t use the TLS protocol so it is an easy method of avoiding this new security problem.
I wrote about the WireGuard protocol a few months ago in an article at: https://privacyblog.com/2018/12/13/wireguard-probably-the-most-secure-and-fastest-vpn-available-today/ and more information is available at the WireGuard support web site at https://www.wireguard.com.
Please note that the WireGuard software is written by an international team of volunteer programmers and is not subject to influence by any single government. In fact, it is designed to thwart the efforts of all repressive governments as well as other lowlife hackers. TheWireGuard software also is all open source. If you have the expertise to read the code, you can even download the source code and examine it yourself for possible deficiencies. Most people won’t do that, of course. Luckily, there are many people who do have that expertise and will examine the code, then alert the rest of us of any problems identified.
WireGuard VPN software is available as software you install in a Macintosh, Windows, Linux, Android, or Apple iOS (iPhone, iPad, or iPod touch) computer as well as available for software to be installed in a router. The advantage of installing in a router is that it protects ALL the devices connected to that router, including gaming consoles, VoIP telephones, Amazon Echo (“Alexa”) devices, streaming video set-top boxes (Roku, Apple TV, and others) and more.
Several vendors are now producing WireGuard-protected VPNs. In fact, I am using a WireGuard-protected router at this moment to post this article and have been using it for several weeks, including from a hotel room in Bangkok, Thailand on one of my recent trips.
The WireGuard-equipped router worked so well in my travels that I purchased a second one to use at home all the time. I leave the first one in my travel carry-on bag that I never fully unpack. After returning from a trip, I remove the soiled laundry and anything perishable from the carry-on bag but leave everything else in the bag. After doing laundry and purchasing new snack food, toiletries, and other items for the carry-on, I immediately repack the bag and leave it in the closet until the next trip. Then it is usually a “grab-it-and-go” exercise. It doesn’t take me long to pack for a trip!
You can read my article, The Easiest Way to Install a VPN, at: https://privacyblog.com/2019/01/03/the-easiest-way-to-install-a-vpn/.
NOTE: The GL.iNet GL-AR750S-Ext Gigabit Travel AC Router that I described in the earlier article has both the traditional OpenVPN software and the newer WireGuard® VPN software pre-installed. If you want to use WireGuard on this router, make sure you specify that when installing the router and then connect only to a VPN server that can handle WireGuard. Not many VPN providers are set up for WireGuard but I did mention several available WireGuard VPN services at the end of my earlier article at: https://privacyblog.com/2018/12/13/wireguard-probably-the-most-secure-and-fastest-vpn-available-today/.
Whether you wait for an update to your present products or elect to switch to a different encryption methodology, you need to be aware of the encryption methods you are using and the options available.